diff --git a/Makefile b/Makefile index 8940284eb40..04e18c3c2a0 100644 --- a/Makefile +++ b/Makefile @@ -28,10 +28,14 @@ test-sigmac: ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/not_existing.yml > /dev/null ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_yaml.yml > /dev/null ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null + ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! coverage run -a --include=tools/* tools/sigmac.py -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null - coverage report --fail-under=80 + coverage report --fail-under=90 diff --git a/tests/invalid_sigma-invalid_aggregation.yml b/tests/invalid_sigma-invalid_aggregation.yml new file mode 100644 index 00000000000..41d3c9f16fe --- /dev/null +++ b/tests/invalid_sigma-invalid_aggregation.yml @@ -0,0 +1,7 @@ +title: Parse error in aggregation +logsource: + product: linux +detection: + foo: + - test + condition: foo | foo bar diff --git a/tests/invalid_sigma-invalid_identifier_reference.yml b/tests/invalid_sigma-invalid_identifier_reference.yml new file mode 100644 index 00000000000..f9430aa30a6 --- /dev/null +++ b/tests/invalid_sigma-invalid_identifier_reference.yml @@ -0,0 +1,7 @@ +title: Missing identifiers in detection section +logsource: + product: linux +detection: + foo: + - test + condition: bar diff --git a/tests/invalid_sigma-no_condition.yml b/tests/invalid_sigma-no_condition.yml new file mode 100644 index 00000000000..099bc5bab0e --- /dev/null +++ b/tests/invalid_sigma-no_condition.yml @@ -0,0 +1,6 @@ +title: Missing condition +logsource: + product: linux +detection: + expression: + - test diff --git a/tests/invalid_sigma-wrong_identifier_definition.yml b/tests/invalid_sigma-wrong_identifier_definition.yml new file mode 100644 index 00000000000..8f3fa60d041 --- /dev/null +++ b/tests/invalid_sigma-wrong_identifier_definition.yml @@ -0,0 +1,6 @@ +title: Wrong identifier value type +logsource: + product: linux +detection: + foo: test + condition: foo diff --git a/tools/backends.py b/tools/backends.py index fc3f243bbf0..21979398912 100644 --- a/tools/backends.py +++ b/tools/backends.py @@ -56,61 +56,6 @@ def print(self, *args, **kwargs): def close(self): self.fd.close() -class MultiOutput: - """ - Multiple file output - - Prepares multiple SingleOutput instances with basename + suffix as file names, on for each suffix. - The switch() method is used to switch between these outputs. - - This class must be inherited and suffixes must be a dict as follows: file id -> suffix - """ - suffixes = None - - def __init__(self, basename): - """Initializes all outputs with basename and corresponding suffix as SingleOutput object.""" - if suffixes == None: - raise NotImplementedError("OutputMulti must be derived, at least suffixes must be set") - if type(basename) != str: - raise TypeError("OutputMulti constructor basename parameter must be string") - - self.outputs = dict() - self.output = None - for name, suffix in self.suffixes: - self.outputs[name] = SingleOutput(basename + suffix) - - def select(self, name): - """Select an output as current output""" - self.output = self.outputs[name] - - def print(self, *args, **kwargs): - self.output.print(*args, **kwargs) - - def close(self): - for out in self.outputs: - out.close() - -class StringOutput(SingleOutput): - """Collect input silently and return resulting string.""" - def __init__(self, filename=None): - self.out = "" - - def print(self, *args, **kwargs): - try: - del kwargs['file'] - except KeyError: - pass - print(*args, file=self, **kwargs) - - def write(self, s): - self.out += s - - def result(self): - return self.out - - def close(self): - pass - ### Generic backend base classes and mixins class BaseBackend: """Base class for all backends""" diff --git a/tools/sigma.py b/tools/sigma.py index 16fc202c7aa..dcfd72f47dc 100644 --- a/tools/sigma.py +++ b/tools/sigma.py @@ -19,8 +19,6 @@ def __init__(self, sigma, config): def parse_sigma(self): try: # definition uniqueness check for definitionName, definition in self.parsedyaml["detection"].items(): - if definitionName in self.definitions: - raise SigmaParseError("Definition '%s' was already defined" % (definitionName)) self.definitions[definitionName] = definition self.extract_values(definition) # builds key-values-table in self.values except KeyError: @@ -45,7 +43,7 @@ def parse_definition_byname(self, definitionName, condOverride=None): try: definition = self.definitions[definitionName] except KeyError as e: - raise SigmaParseError("Unknown definition '%s'" % (definitionName)) from e + raise SigmaParseError("Unknown definition '%s'" % definitionName) from e return self.parse_definition(definition, condOverride) def parse_definition(self, definition, condOverride=None):